Based on the Azure services Log Analytics and Azure Automation you can use three new capabilities in the Azure portal for your Azure VMs: inventory, change tracking, and update management.
In this blog article I will talk about the update management solution. If you are familiar with Log Analytics and its former update management solution, you will like this one for sure.
Before we dive in, let us have a look at the advantages and limits of the update management solution. The advantages are cool. First, the service is free and supports Windows and Linux as well. If you do not have any patch management solution like WSUS or SCCM for your Azure environment in place you should go with the update management solution. You have WSUS or SCCM in place? Consider going with the update management solution. Beside the Azure VM support, it also supports Non-Azure VMs. So, it is a true hybrid cloud solution running in Azure.
Here are some limits you must consider:
- Windows Server 2008 R2 SP1 and later
- Nano Server is not supported.
- Windows client operating systems are not supported.
- Windows agents must either be configured to communicate with a Windows Server Update Services (WSUS) server or have access to Microsoft Update.
- System Center Configuration Manager cannot manage the Windows agent concurrently.
- CentOS 6 (x86/x64) and 7 (x64)
- Red Hat Enterprise 6 (x86/x64) and 7 (x64)
- SUSE Linux Enterprise Server 11 (x86/x64) and 12 (x64)
- Ubuntu 12.04 LTS and newer (x86/x64)
- Linux agents must have access to an update repository.
- This solution doesn’t support an OMS Agent for Linux configured to report to multiple Operations Management Suite workspaces.
-> https://docs.microsoft.com/en-us/azure/automation/manage-update-multi
Hopefully you have an Azure Automation account already deployed and connected to a deployed Log Analytics workspace. Otherwise have a look at the documentation on how to enable the update management solution and onboard Azure VMs.
Now let us dive deeper into the update management solution. The great thing about this solution is, that it is directly integrated into the individual VM blade. That said you can see, if updates are missing and immediately schedule an update deployment to remediate the issue. Additionally, you can get more information about the missing updates following the information link.
When you schedule an update deployment you can select which update classifications should be applied during the run. Update exclusions are also possible, if you need to exclude a single or several updates. You can specify a schedule for a one-time shot or a recurring run. Then specify the maintenance window. But be aware of the following one.
For updates that require a restart, the virtual machine will restart automatically.
Would like to check the next run time of your scheduled update deployments? Have a look at the specific tab scheduled update deployments.
After a run you can check under the update deployments tab if the run were successful and how long the run took place during the specified maintenance window.
In the same tab you can click on the specific update deployment to get more information about the installed updates and if one failed which one failed.
The same capabilities you experienced for a single VM are also in place at the Azure Automation account you are using for the update management solution. So, you can manage your updates for multiple Azure VMs and Non-Azure VMs. But there is an additional tab called computers where you can check the compliance of Azure VMs and Non-Azure VMs in a single pane. This is a basic indication if you need to install updates on your machines.
In my next blog article, I will walk you through on how to deploy the update management solution through an Azure Resource Manager template.